实验目的:

l 掌握GRE over IPsec-VPN的配置步骤

l 掌握GRE over IPsec-VPN的阶段运行原理

实验说明：

l 通过此实验练习，可以更好的掌握IPsec-VPN的实现原理以及工作场景

实验环境：

l 四台支持SPSERVICES的IOS的路由器

l 直通线

实验拓扑：

实验步骤：

PC(config)#interface f0/0

PC(config-if)#ip address 192.168.1.1 255.255.255.0

PC(config-if)#no shutdown

PC(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254

SITE1(config)#interface f0/0

SITE1(config-if)#ip address 192.168.1.254 255.255.255.0

SITE1(config-if)#no shutdown

SITE1(config-if)#int f1/0

SITE1(config-if)#ip address 12.1.1.1 255.255.255.0

SITE1(config-if)#no shutdown

SITE1(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2

Internet(config)#interface f1/0

Internet(config-if)#ip address 12.1.1.2 255.255.255.0

Internet(config-if)#no shutdown

Internet(config-if)#int f1/1

Internet(config-if)#ip address 23.1.1.2 255.255.255.0

Internet(config-if)#no shutdown

SITE2(config)#interface f1/1

SITE2(config-if)#ip address 23.1.1.3 255.255.255.0

SITE2(config-if)#no shutdown

SITE2(config)#int lo 0

SITE2(config-if)#ip address 10.1.1.1 255.255.255.0

SITE2(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.2

建立GRE隧道

SITE1(config)#interface tunnel 0

SITE1(config-if)#ip address 20.1.1.1 255.255.255.0

SITE1(config-if)#tunnel source 12.1.1.1

SITE1(config-if)#tunnel destination 23.1.1.3

SITE2(config)#interface tunnel 0

SITE2(config-if)#ip address 20.1.1.2 255.255.255.0

SITE2(config-if)#tunnel source 23.1.1.3

SITE2(config-if)#tunnel destination 12.1.1.1

第一阶段建立isakmp sa，需要来回6个包

SITE1(config)#crypto isakmp policy 10

SITE1(config-isakmp)#encryption 3des

SITE1(config-isakmp)#group 2

SITE1(config-isakmp)#authentication pre-share

SITE1(config-isakmp)#hash md5

SITE1(config)#crypto isakmp key cisco address 23.1.1.3

第二阶段建立ipsec sa，需要来回3个包

SITE1(config)#crypto ipsec transform-set ccie esp-3des esp-md5-hmac

SITE1(config)#crypto map vpn 10 ipsec-isakmp

SITE1(config-crypto-map)#set peer 23.1.1.3

SITE1(config-crypto-map)#set transform-set ccie

SITE1(config-crypto-map)#match address test

SITE1(config)#ip access-list extended test

SITE1(config-ext-nacl)#permit gre host 12.1.1.1 host 23.1.1.3

SITE1(config)#interface f1/0

SITE1(config-if)#crypto map vpn

SITE2(config)#crypto isakmp policy 10

SITE2(config-isakmp)#encryption 3des

SITE2(config-isakmp)#group 2

SITE2(config-isakmp)#authentication pre-share

SITE2(config-isakmp)#hash md5

SITE2(config)#crypto isakmp key cisco address 12.1.1.1

SITE2(config)#crypto ipsec transform-set ccie esp-3des esp-md5-hmac

SITE2(config)#crypto map vpn 10 ipsec-isakmp

SITE2(config-crypto-map)#set peer 12.1.1.1

SITE2(config-crypto-map)#set transform-set ccie

SITE2(config-crypto-map)#match address test

SITE2(config)#ip access-list extended test

SITE2(config-ext-nacl)#permit gre host 23.1.1.3 host 12.1.1.1

SITE2(config)#interface f1/1

SITE2(config-if)#crypto map vpn

运行动态路由协议

SITE1(config)#router ospf 110

SITE1(config-router)#router-id 1.1.1.1

SITE1(config-router)#network 20.1.1.1 0.0.0.0 a 0

SITE1(config-router)#network 192.168.1.0 0.0.0.255 area 0

SITE2(config)#router ospf 110

SITE2(config-router)#router-id 2.2.2.2.2

SITE2(config-router)#network 20.1.1.2 0.0.0.0 a 0

SITE2(config-router)#network 10.1.1.1 0.0.0.0 a 0

验证：

PC#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 88/92/100 ms

SITE1#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

2.2.2.2 0 FULL/ - 00:00:38 20.1.1.2 Tunnel0

SITE1#show ip route ospf

10.0.0.0/32 is subnetted, 1 subnets

O 10.1.1.1 [110/1001] via 20.1.1.2, 00:25:47, Tunnel0

SITE1#show crypto engine connections active

Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address

1 IPsec 3DES+MD5 0 205 12.1.1.1

2 IPsec 3DES+MD5 202 0 12.1.1.1

1001 IKE MD5+3DES 0 0 12.1.1.1